Great timing for this thread. A recently updated password policy has sparked some debate at %dayjob%. It contains some of the expected requirements:
- unique per account - varying length requirements based on account type (domain user, administrative user, etc.) - don't include userID or personal information (birthday, phone number, SS#, etc.) - standard complexity requirements (uppercase/lowercase/numerical/special) ...then some additional requirements, which are raising some eyebrows: - must not contain a dictionary word - must not contain repetitive or sequential characters - must not be derived from publicly searchable internet or social media information (favorite sports team, names of friends or family, schools, restaurants, etc.) While I understand the intent, my opinion is that no typical end-user is going to truly understand what these requirements mean, or will simply find them too difficult to comply with. Our current expiration policy is 90 days. I believe the end users would rather deal with more frequent password changes than have to adhere to the above stated policy. Interested in other opinions.... - Sean On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr < michealespin...@gmail.com> wrote: > Thanks. 100% true story + federal investigation. State lines were > crossed, and millions of dollars were at stake. > > -- > Espi > > > On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <l...@ochin.org> wrote: > >> That’s a perfect example Michael. >> >> >> >> Or, let’s say I am in IT at Target, maybe later I move into IT at an HVAC >> company that has VPN access to Target (IT guys working at companies that do >> business with their former employers? Never happens right?). Maybe my PC at >> the HVAC place get compromised and since Target never disabled my account >> and I use the same password at %newjob% as I did %oldjob%, a simple hop >> over VPN now leverages the access I had at Target… >> >> >> >> Except what actually happened with Target was more **harder** than what >> I described above. >> >> >> >> IMO any place that doesn’t require a password expiration of any kind is >> likely (exceptions to this, sure) the same place that doesn’t have a >> process for disabling all the access former employees have. >> >> >> >> Dave >> >> >> >> *From:* listsadmin@lists.myitforum.com [mailto: >> listsadmin@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr >> *Sent:* Tuesday, April 26, 2016 6:31 PM >> *To:* ntsys...@lists.myitforum.com >> *Subject:* Re: [NTSysADM] RE: Password expiring debate on patch >> management >> >> >> >> 1. Old admin knows many management passwords >> 2. Old admin goes to work for competitor >> 3. Company and competitor are up for same contracts >> 4. Old admin remotes into company to look at emails and presentation >> materials >> 5. Competitor starts taking business from company by usurping sales >> pitches in very specific ways >> 6. I get hired 2+ years after old admin in question >> 7. I review remote logs to establish behavioral patterns >> 8. I see odd logon behavior and trace repetitive IPs >> 9. I trace IPs to competitor as well as old admin specifically >> >> >> >> I am Jacks complete lack of surprise when management doesnt change their >> password and uses the same passwords for many things. >> >> >> >> >> >> >> -- >> Espi >> >> >> >> >> >> On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim < >> kennedy...@elyriaschools.org> wrote: >> >> >> >> "Even six months is far better than never" >> >> >> >> Why? >> >> >> ------------------------------ >> >> *From:* listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] >> on behalf of Dave Lum [l...@ochin.org] >> *Sent:* Monday, April 25, 2016 6:58 PM >> *To:* ntsys...@lists.myitforum.com >> *Subject:* [NTSysADM] Password expiring debate on patch management >> >> Anyone see the debate on the Patch management list, driven by this: >> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry >> >> >> >> I don’t even know how it’s a debate other than the desired frequency (no >> one-size-fits-all on that IMO). Even six months is far better than never. >> With expiring passwords you at bare minimum mitigate employee’s that leave. >> >> >> >> *David Lum* >> >> *Systems Administrator III* >> *P:** 503.943.2500 <503.943.2500>* >> *E:** l...@ochin.org <l...@ochin.org>* >> *A:** 1881 SW Naito Parkway, Portland, OR 97201* >> >> >> [image: Facebook Link] <https://www.facebook.com/OCHINinc>[image: >> Twitter Link] <https://twitter.com/ochininc>[image: Linkedin Link] >> <http://www.linkedin.com/company/ochin> www.ochin.org >> [image: OCHIN email] >> >> >> >> >> >> >> >> >> >> >> >> Attention: Information contained in this message and or attachments is >> intended only for the recipient(s) named above and may contain confidential >> and or privileged material that is protected under State or Federal law. If >> you are not the intended recipient, any disclosure, copying, distribution >> or action taken on it is prohibited. If you believe you have received this >> email in error, please contact the sender with a copy to >> complia...@ochin.org, delete this email and destroy all copies. >> >> >> Attention: Information contained in this message and or attachments is >> intended only for the recipient(s) named above and may contain confidential >> and or privileged material that is protected under State or Federal law. If >> you are not the intended recipient, any disclosure, copying, distribution >> or action taken on it is prohibited. If you believe you have received this >> email in error, please contact the sender with a copy to >> complia...@ochin.org, delete this email and destroy all copies. >> > >
